The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #337 [Security checklist] (1 message, 1058 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/337.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: page@swan.ulowell.edu (Bob Page)
To: phage
Date: Tue 12:00:11 06/12/1988 EST
Subject: Security checklist
References: [Thread Prev: 327] [Thread Next: 341] [Message Prev: 335] [Message Next: 341]

I happen to think it's critical in our environment to keep the
source code available.  History has shown that bugs fixes and
improvements come from regular folks just as much as from system
admin types.

But the point should be made: most security considerations are not
absolute; they are "thought questions".  The writer does so only to be
complete.  You can't make a valid judgement to keep the resource open
or to close it off until you know that it *could* be a problem.  I
would not have even considered recommending removing access from
/usr/src, but I can see where the point should at least be brought up.

The same can be said for most security issues, like /usr/lib/aliases
for example.  The sendmail docs says "we (ucb) leave it world
writable, you might not, but we trust our users".  In fact I keep our
aliases files readable but not writable, and have the exact problem
they describe: I have to manually edit the file when somebody wants a
change.  One of my staff wrote a daemon that gets requests (via mail)
and changes the aliases file based on those requests with locks and
passwords (on the aliases) to prevent anyone from changing random
alias entries.  (We do this because people need to change alias
entries on a mail server where they don't have an account for
example).

On a different topic: we now know that many "cracker groups" have the
source code to the Worm.  I'm sure a half dozen folks within ULowell
already have access to the code.  It upsets me that I have to go to
these groups to get the code rather than more legitimate channels.
It should not be harder for people with white hats to get the code.

..Bob

END OF DOCUMENT